1. Introduction
This manual serves as a guide to successfully carry out the Bit4id Kit installation process for the use of cryptographic cards and the procedure for accessing and using the management application. The Bit4id Kit consists of the following components:
Bit4id Middleware: libraries that allow any application of the Operating System to operate with cryptographic cards.
PKIManager-aoc: application for managing the card, which allows you to perform operations such as changing PIN or PUK, unlocking PIN, obtaining information about the card, importing or exporting certificates...
This manual will guide you in a simple way in the process of installing and using the Kit Bit4id.
1.1. Who is this document for?
End users, who will use chip cards in MacOS environments.
2. Before you start
Make sure you have:
one standard, PC/SC compatible card reader that is properly connected, installed and configured. Follow the instructions provided by the reader manufacturer to verify correct installation and operation.
The latest version of the Bit4id Kit . Link to download the latest version
To be able to perform the installation, it is essential to have Administrator permissions . If you don't have it, the installation will be denied.
3. Installation
If necessary, you will have to download and install the drivers for your computer to recognize the reader you have purchased. To do this, go to the official page of the reader manufacturer.
Follow the instructions provided by the reader manufacturer to verify correct installation and operation.
If you purchase a bit4id reader, if your version of Mac OS has the PCSC drivers installed by default, it will not be necessary to download any drivers. Otherwise, you must download and install the reader drivers:
- Processors with Intel chip: https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip .
- Processors with Apple chip: https://cdn.bit4id.com/es/AOC/drivers/Bit4id_drivers_MacOS.zip .
3.1. PKI Manager Installation Assistant
- Go to the folder where you downloaded the file and run it.
- Follow the installer steps.
Once the PKI Manager installation is complete, restart the computer.
Once the reboot is complete, open the app.
This is what it looks like without any device connected:
- With the application open, connect the reader to a USB port and then insert the card. You can also do this process by plugging the token into a USB port.
4. Problems during installation
You may have older versions of the Card Management application (Bit4id PKI Manager) installed on your computer, so you will be prompted to remove older versions before running the install. lader Remove these versions and run the installer again.
How to uninstall an older version of PKI Manager?
- Open the Finder
- Go to the Applications tab
- Select the application to uninstall with one click
- Head to file in the upper area of the screen
- Click: Move to Trash
5. Settings in Firefox
ATTENTION: if you are using a version of Mac OS Big Sur or later you can skip this step, because in the new versions the libraries libbit4xpki.dylib is already incorporated into the system. If it doesn't recognize the certificates, continue.
To be able to use the certificates contained in the smart card in the Mozilla Firefox browser, it is necessary to incorporate some Bit4id Universal Middleware libraries manually.
The automated incorporation of security devices in Firefox was disabled from version 3.5 as a security measure.
- Open Mozilla Firefox, go to
→ Preferences (
)
- In the section of
Privacy and Security, look for the certificates section and click on Security Devices
- Device Manager will open. Click on load
- When this window opens, you need to search for the PKCS#11 device driver. click Browse… to look for it in your team.
In the previous window, the following data must be entered:
Name of the module: Bit4id Universal Middleware
Module file: /Applications/PKIManager-bit4id.app/Contents/Resources/etc/libbit4xpki.dylib
Then click Accept. The module will be incorporated successfully, and the installation in Firefox will be complete.
6. Settings in Adobe Reader
ATTENTION: if you are using a version of Mac OS Big Sur or later you can skip this step, due to the fact that in new versions the libbit4xpki.dylib library is already incorporated into the system. If it doesn't recognize the certificates, continue.
In order to be able to sign with the certificates contained in the smart card in Adobe Reader, it is necessary to incorporate some Bit4id Universal Middleware libraries manually.
- Open a PDF document with Adobe Reader. Then go to Tools → Certificates
- Select the option of Sign digitally
- A pop-up window will open. click "Set up digital ID"
- Select the first option (“ Use a signature creation device ”) and click to continue
- click "Manage Digital ID"
- A pop-up window will open. In the left side menu, make sure it is selected "PKCS#11 Modules and Badges" . click "Attach Module"
- Another popup window will open. It prompts you to enter the PKCS11 library path.
- Library path: /Applications/PKIManager-bit4id.app/Contents/Resources/etc/libbit4xpki.dylib
- Check that the module has been created bit4id PKCS#11 . Then restart Adobe Reader.
Open Adobe and perform steps 1 and 2 again. It will show you the available certificates of the cryptographic device you have connected.
Select the desired certificate and click Continue
Enter the PIN and click to sign
7. Functionalities
The Bit4id PKI Manager application has multiple functionalities available from the main screen.
IMPORTANT: Bit4id PKI Manager comes by default with the user version. To be able to have all its functionalities, you must switch to the administrator version using the command: Command+A
7.1. Functionality tables
Basic functionalities:
Table of basic functionalities
| function | Description |
|---|---|
| Unlock PIN | Function to unlock the card PIN. |
| Change PIN | Function to change the PIN of the card. |
| Change the PUK | Function to change the PUK of the card. |
| Login/Logout | Function to log in/out of the card. |
| Device information | Tab where we will find the description of the connected device and the card. |
| Certificates | Tab where we will find the user and CA certificates loaded on the card. |
To access the extra features, click:
Extra features:
Table of extra features
| function | Description |
|---|---|
| Login/Logout | Sign in/out of card content. |
| Refresh | Refresh the token/card content to see new certificates. |
| Change the device name | Define the name under which the device appears. |
| Change PIN | Function to change the PIN of the card. |
| Unlock PIN | Function to unlock the PIN of the card using its PUK. |
| Change the PUK | Function to change the PUK of the card. |
| Import certificate | Function to import a certificate to your card. |
| Erase the device | Function to erase ALL certificates and keys from the card token. |
- Login
To access any functionality offered by the software, you must enter the PIN of the card
- Change PIN
To change the PIN, enter the PIN of the card and the new PIN. The new PIN must be between 4 and 8 alphanumeric digits.
- Unlock PIN
To unlock the PIN, enter the PUK of the card and the new PIN. The new PIN must be between 4 and 8 alphanumeric digits.
- Change the PUK
Enter the card's old PUK and the new PUK. The new PUK must be between 4 and 8 alphanumeric digits.
- import
This option allows the import of certificates on the card. The accepted formats for importing .p12 or .pfx card certificates since these formats include the certificate's private key, which is essential to carry out cryptographic operations.
To start the import, first select the certificate from its location, as shown in the following image:
Once the certificate is selected, press "Open":
The system will ask you for the password of the PFX or P12 file (certificate and its private key) that you want to import, which contains your certificate and key pair. Insert it and complete the import options according to your convenience, where:
– Import certificates with no associated key peer: allows you to import the entire certification hierarchy included in the PFX or P12 file. It is recommended NOT to MARK this option.
– Define CKA_ANEU from PKCS#11: identifier that certain applications use when displaying the certificate. It is recommended to enter a useful identifier value, for example pedro_signature, pedro_access, pedro_encryption, etc.
And the certificate import will be completed:
In the event that you want to check that the certificate has been correctly saved, remember that you can review all the certificates stored on the card through the "View" option of Bit4id PKI Manager.
- Certificate details
Once the card's PIN is entered, you can see the certificates included. In the pop-up window displayed by the application, you can see information
- Card information
Provides detailed card information: model, serial number, manufacturer and label.
It is possible that support ( soporte@bit4id.com ) will ask you for this information to know the type of card you are using.
8. Frequently asked questions
Can I mix numbers and letters for the card PIN number?
Yes, no problem, as long as the new PIN is between 4 and 8 digits.
Is there a maximum number of PIN entries in case I have any doubts and do not remember my PIN number? When can the card be blocked?
If the PIN code is entered incorrectly more than 3 times, it is blocked. Follow the steps to unlock the PIN indicated in the previous point.
Is there a maximum number of PUK entries to try to unlock the PIN? What happens if the card is blocked?
If the PUK code is entered incorrectly more than 3 times, it is blocked. For security reasons, the card is completely blocked.
9. Glossary
Certification Authority: it is the trusted entity, responsible for issuing and revoking the electronic certificates used in the electronic signature. The Certification Authority, by itself or through the intervention of a Registration Authority, verifies the identity of the applicant for a certificate before it is issued or, in the case of certificates issued with the condition of being revoked, removes the revocation of certificates when verifying this identity.
Expiration of the digital certificate: the digital certificate has a period of validity that is stated in the certificate itself. It is generally 2 years, although by law a validity of up to 5 years is allowed. Once the certificate has expired, it will not be possible to use the services offered by the Administration that require an electronic signature, and any electronic signature made after that time will not be valid.
Digital certificate: document in computer support issued and signed by the Certification Authority, which guarantees the identity of its owner.
Recognized certificate: certificate issued by a Certification Service Provider that meets the requirements established in the Law regarding the verification of the identity and other circumstances of the applicants and the reliability and guarantees of the certification services they provide, in accordance with the provisions of Chapter II of Title II of Law 59/2003, of December 19, on Electronic Signatures.
Electronic signature: set of data, in electronic form, attached to other electronic data or functionally associated with them, used as a means to formally identify the author or authors of the document that collects it. There are 3 types of electronic signature: simple, advanced and recognized electronic signature.
Simple electronic signature: set of data, in electronic form, annexed to other data.
Advanced electronic signature: an electronic signature that allows the signer to be identified and any subsequent changes to the signed data to be detected, that is uniquely linked to the signer and the data it refers to, and that has been created by means that the signer can maintain under its exclusive control.
Recognized electronic signature: An advanced electronic signature based on a recognized certificate and generated using a secure signature creation device is considered a recognized electronic signature. The recognized electronic signature will have the same value with respect to the data entered in electronic form as the handwritten signature in relation to those entered on paper.
Hash function: is an operation that is performed on a set of data of any size, so that the result obtained is another set of data of a fixed size, regardless of the original size, and that has the property of being uniquely associated with the data initials, that is, it is impossible to find two different messages that generate the same result when applying the Hash Function.
Hash or Fingerprint: a result of fixed size that is obtained after applying a hash function to a message and that fulfills the property of being uniquely associated with the initial data.
Integrity: integrity is the quality of a document or file that has not been altered and that also allows you to verify that no manipulation has occurred in the original document.
Certificate Revocation Lists or Lists of Revoked Certificates: the list that contains exclusively the relations of revoked or suspended certificates (not the expired ones).
I do not repudiate: the sender who electronically signs a document cannot deny that he sent the original message, since this is imputable to the sender by means of the private key that only he knows and that he is obliged to keep. Non-repudiation also allows you to check who participated in a transaction.
Non-repudiation or non-repudiation is a security service that is closely related to authentication and that allows you to prove the participation of the parties in a communication. The essential difference with authentication is that the former occurs between the parties establishing the communication and the non-repudiation service occurs against a third party
Certification Service Provider or PSC: natural or legal person that issues electronic certificates or provides other services in relation to the electronic signature. See Certification Authority.
PIN: sequence of characters that allow access to the certificates. Personal Identification Number, sometimes called PIN.
PUK: sequence of characters that allow changing or unlocking the PIN. Personal Unlocking Key.
Renewal: Renewal consists of requesting a new certificate using a certificate that is valid but is about to expire. In this way, before the expiry of a certificate you can apply for renewal and this implies that a new valid certificate is issued.
Revocation: definitive cancellation of a digital certificate at the request of the subscriber, or at the Certification Authority's own initiative in case of doubt about the security of the keys. Revocation is an irreversible state. The revocation of a certificate can be requested after a situation of suspension or at the will of the persons authorized to request it. Likewise, in the case of a suspended certificate, if the maximum suspension period has passed, if the certificate has not been enabled, it becomes definitively revoked. When the certification body revokes or suspends a certificate, it must make it appear in the Lists of Revoked Certificates (CRL), to make this fact public. These lists are public and must always be available.
Smart card (smartcard): q any card with integrated circuits that allow the execution of a certain programmed logic.
